«Тестирование безопасности GraphQL», Егор Богомолов, Wallarm

Transcript

1. Тестирование безопасности GraphQL API Богомолов Егор

2. Intro

3. Intro • GraphQL • Features • Instruments • Something new

4. GraphQL

5. GraphQL GraphQL is a query language for API

6. Features

7. Features (security features) • Introspection • Query Complexity • Query

   Depth • Injection via resolver

8. Instruments

9. Instruments Prints the GraphQL schema SDL from a GraphQL schema

   JSON introspection: Link: https://github.com/potatosalad/graphql-introspection-json-to-sdl Generate queries from GraphQL schema: Link: https://github.com/timqian/gql-generator A beautiful feature-rich GraphQL Client for all platforms: Link: https://altair.sirmuel.design/ Graphqler (Helps in security testing GraphQL applications): Link: https://github.com/sorokinpf/graphqler

10. Something new

11. GraphQL Batching Attack GraphQL is designed in a way that

    allows you to write clean code on the server, where every field on every type has a focused single-purpose function for resolving that value. However without additional consideration, a naive GraphQL service could be very "chatty" or repeatedly load data from your databases. This is commonly solved by a batching technique, where multiple requests for data from a backend are collected over a short period of time and then dispatched in a single request to an underlying database or microservice by using a tool like Facebook's DataLoader.

12. GraphQL Batching Attack Normal and Serial Execution Link: https://graphql.github.io/graphql-spec/June 2018/#sec-Normal-and-Serial-Execution

    For Queries? For Mutations?

13. 1 2 3 What’s the problem? Not all implementations follow

    the specification It gives you the opportunity to bypass information security systems Some operations must set a hit limit

14. Example 1

15. Example 2

16. Outro

17. Спасибо за внимание! Tg: @empty_jack E-Mail: [email protected]